As a DFIR examiner, poring over internet history records is a well-loathed daily activity. We spend hours looking at these lists trying to find an interesting URL that moves our case one direction or another. Sometimes we can use a filtering mechanism to remove URLs that we know for certain are uninteresting, but keeping a list like this up to date is a manual task. I used Websense to assist with this type of work at my previous job, but I have also had brief experiences with Blue Coat. as well.

EnCase is an extensible digital investigation platform. Simply put, extensibility reduces time and effort for the investigator. One way to validate this claim for yourself is to take a look at the depth and breadth of the ways EnCase can work with existing tools in your kit. For example: Do you already own Magnet Forensic's IEF? IEF and EnCase work together to reduce work for investigators. Have you considered how to integrate threat intelligence into your DFIR regimen? EnCase and Cisco Security (formerly ThreatGRID) collaborate to reduce IR time and effort. Let’s walk through a few ways extensibility works in your favor.

In my last post, I summarized a handful of apps that are useful to search and explore your case, and apps that help with malware investigations. For latest updates on apps go to EnCase App central directly, or follow us on twitter @EnCase.

Without further ado, here are some more apps that we hope can help you make your case:

I’ve recently taken to tweeting about some of the latest additions to EnCase App Central and it’s been a reminder of the impressive ingenuity and dedication within the digital investigations community. Our humble app store has grown to house over 100 solutions, extending and increasing the efficiency and efficacy of digital investigations. At Guidance Software, we take pride in shipping software that helps investigators find more evidence, faster and we see EnCase App Central as a key component of EnCase.

Over the past couple of years the Guidance Software EnCase consultants and trainers have provided advice and assistance concerning how to manage the digital artifacts from RAM or memory analysis when using Volatility as their tool of choice. The two blog posts below provide insight into the progress.

Recovering evidence that has been removed from a target machine is tough enough, but then you have to figure out how that evidence was removed and when. Suspects are increasingly removing hard drives from machines or simply dragging and dropping incriminating evidence to thumb drives, cameras, mp3 players or other USB gadgets. The good news is that they digital footprints are often left behind when they plug these devices into the system, and the artifacts that can be recovered often lead to insights about the suspect’s behavior or recovery of the removed data itself.

One of the most popular EnScripts/apps on EnCase App Central addresses this challenge by automating the Window’s Registry examination by locating and reporting on the artifacts that are created when an entry is made in different hives in the registry. For example, when a USB storage device is inserted into a machine, a key is created in the Windows Registry, and everything the operating system needs to know about that storage device is contained in that key. The Registry was first introduced with Windows 95 and has been incorporated into many Microsoft operating systems since. Within the Windows operating system is a list of all the USB devices that have been connected to the system in the past. Information includes the device description, its type (printer, camera, disk drive, etc), whether it was connected via a USB hub, its drive letter, and the device's serial number. All of these information types can be identified under the right conditions.

This is the first in a series of brief, but frequently asked questions and answers about working with EnCase® Enterprise Version 7. We hope they save you time and help you close cases faster.

One of the questions we are often asked in Technical Services about working with e-mail searches is, "When I find a relevant e-mail attachment, how can I find the e-mail that the attachment belongs
to?" Searching in e-mail may result in
keywords being found in both e-mails and attachments. This is how to locate
the e-mail to which the attachment belongs:

It wasn’t that long ago that we celebrated the 10,000th download at EnCase® App Central. As a source of excellent and fully tested apps that solve real problems for digital investigators, we are extremely pleased that it has become a regular stop for our EnCase community of developers and investigative pros.

Now we’ve passed the 15,000th download mark, with a few key apps topping the charts as most popular:

EnCase App Central opened its virtual doors in early spring this year with the goal of providing functionality and efficiency to EnCase users by offering EnScripts, templates, and 3rd party Apps. After just a few months, driven by the power of the EnCase community and our 3rd party partners; App Central has become the primary source of efficiency-driving solutions for the tens of thousands of EnCase users worldwide.